need security advice on new iis instalation

need security advice on new iis instalation

am 05.02.2007 00:36:00 von ToddAndMargo

Hi All,

I just got tasked to build an IIS server for entering
credit card orders for a company. The software is
commercial and says it need w2k3 and iis6. It does not
mention anything about security software. The order
software also has to be on the inside of the firewall,
as it has to share a directory from the main
database server.

So far, all I can figure is to have my firewall
send all incoming http and https SYN packets to the
order server. And, put firewall rules on the other
internal computers that disallow any traffic
from the order server.

I see the main server as being at risk as well : the order
server gets taken over and starts having its way with the
data on the shared drive with the main server, as well as
the order server.

I just do not like the feel of all this. How in the world do I
protect myself?

-T

Re: need security advice on new iis instalation

am 06.02.2007 06:01:36 von Roger Abell

It sounds as if you have so far been looking at the requirements
of the application, as they (mis)fit with your existing environment.
I would suggest that instead you start with the requirements that
the credit card processing will place on you, as being validated
for this will likely be more restrictive than what you have been
looking at for the application.

Roger

wrote in message
news:1170632160.216948.101120@j27g2000cwj.googlegroups.com.. .
> Hi All,
>
> I just got tasked to build an IIS server for entering
> credit card orders for a company. The software is
> commercial and says it need w2k3 and iis6. It does not
> mention anything about security software. The order
> software also has to be on the inside of the firewall,
> as it has to share a directory from the main
> database server.
>
> So far, all I can figure is to have my firewall
> send all incoming http and https SYN packets to the
> order server. And, put firewall rules on the other
> internal computers that disallow any traffic
> from the order server.
>
> I see the main server as being at risk as well : the order
> server gets taken over and starts having its way with the
> data on the shared drive with the main server, as well as
> the order server.
>
> I just do not like the feel of all this. How in the world do I
> protect myself?
>
> -T
>